Transcript Hands-On Ethical Hacking and Network Security

Hands-On Ethical Hacking
and Network Defense
Chapter 6
Enumeration
Objectives
• Describe the enumeration step of security
testing
• Enumerate Microsoft OS targets
• Enumerate NetWare OS targets
• Enumerate *NIX OS targets
Hands-On Ethical Hacking and Network Defense
2
Introduction to Enumeration
• Enumeration extracts information about:
•
•
•
•
Resources or shares on the network
User names or groups assigned on the network
Last time user logged on
User’s password
• Port scanning and footprinting
• Determine OS being used
• Intrusive process
• NBT (NetBIOS over TCP/IP)
• Tool for enumerating Microsoft OSs
Hands-On Ethical Hacking and Network Defense
3
Introduction to Enumeration
(continued)
• Linux application installation
•
•
•
•
•
Create a new directory
Gzip command
Tape archive (tar) file
Configure installation
Install application
Hands-On Ethical Hacking and Network Defense
4
Hands-On Ethical Hacking and Network Defense
5
Hands-On Ethical Hacking and Network Defense
6
Hands-On Ethical Hacking and Network Defense
7
Introduction to Enumeration
(continued)
• Using NBTscan
• Use nbtscan command to scan a range of IP
addresses
• Example: nbtscan 192.168.0.0./24
Hands-On Ethical Hacking and Network Defense
8
Hands-On Ethical Hacking and Network Defense
9
Enumerating Microsoft
Operating Systems
• Study OS history
• Knowing your target makes your job easier
• Many attacks that work for older Windows
OSs still work with newer versions
Hands-On Ethical Hacking and Network Defense
10
Hands-On Ethical Hacking and Network Defense
11
Hands-On Ethical Hacking and Network Defense
12
Hands-On Ethical Hacking and Network Defense
13
NetBIOS Basics
• Network Basic Input Output System
(NetBIOS)
• Programming interface
• Allows computer communication over a LAN
• Used to share files and printers
• NetBIOS names
• Computer names on Windows systems
• Limit of 16 characters
• Last character identifies type of service
running
• Must be unique on a network
Hands-On Ethical Hacking and Network Defense
14
Hands-On Ethical Hacking and Network Defense
15
Hands-On Ethical Hacking and Network Defense
16
NetBIOS Null Sessions
• Null session
• Unauthenticated connection to a Windows
computer
• Does not use logon and passwords values
• Around for over a decade
• Still present on Windows XP
Hands-On Ethical Hacking and Network Defense
17
NetBIOS Enumeration Tools
• Nbtstat command
• Powerful enumeration tool included with the
Microsoft OS
• Displays NetBIOS table
• Net view command
• Shows whether there are any shared
resources on a network host
• Use information obtained from port
scanning during enumeration
• Use IP address obtained when port scanning
to perform a NetBIOS enumeration
Hands-On Ethical Hacking and Network Defense
18
Hands-On Ethical Hacking and Network Defense
19
Hands-On Ethical Hacking and Network Defense
20
Hands-On Ethical Hacking and Network Defense
21
NetBIOS Enumeration Tools
(continued)
• Net use command
• Used to connect to a computer with shared
folders or files
Hands-On Ethical Hacking and Network Defense
22
Hands-On Ethical Hacking and Network Defense
23
Additional Enumeration Tools
•
•
•
•
NetScanTools Pro
DumpSec
Hyena
NessusWX
Hands-On Ethical Hacking and Network Defense
24
NetScanTools Pro
• Produces a graphical view of NetBIOS
running on a network
• Enumerates any shares running on the
computer
• Verifies whether access is available for
shared resource using its Universal Naming
Convention (UNC) name
Hands-On Ethical Hacking and Network Defense
25
Hands-On Ethical Hacking and Network Defense
26
Hands-On Ethical Hacking and Network Defense
27
DumpSec
• Enumeration tool for Microsoft systems
• Produced by Foundstone, Inc.
• Allows user to connect to a server and “dump”
the following information
•
•
•
•
•
•
Permissions for shares
Permissions for printers
Permissions for the Registry
Users in column or table format
Policies and rights
Services
Hands-On Ethical Hacking and Network Defense
28
Hyena
• Excellent GUI product for managing and
securing Microsoft OSs
• Shows shares and user logon names for
Windows servers and domain controllers
• Displays graphical representation of:
•
•
•
•
Microsoft Terminal Services
Microsoft Windows Network
Web Client Network
Find User/Group
Hands-On Ethical Hacking and Network Defense
29
Hands-On Ethical Hacking and Network Defense
30
NessusWX
• Allows enumeration of different OSs on a large
network
• Running NessusWX
• Be sure Nessus server is up and running
• Open the NessusWX client application
• To connect your client with the Nessus server
• Click Communications, Connect from the menu on the
session window
• Enter server’s name
• Log on the Nessus server
Hands-On Ethical Hacking and Network Defense
31
Hands-On Ethical Hacking and Network Defense
32
Hands-On Ethical Hacking and Network Defense
33
NessusWX (continued)
• Nessus identifies
• NetBIOS names in use
• Shared resources
• Vulnerabilities with shared resources
• Also offers solutions to those vulnerabilities
Hands-On Ethical Hacking and Network Defense
34
Hands-On Ethical Hacking and Network Defense
35
Hands-On Ethical Hacking and Network Defense
36
Hands-On Ethical Hacking and Network Defense
37
NessusWX (continued)
• Nessus identifies (continued)
• OS version
• OS vulnerabilities
• Firewall vulnerabilities
Hands-On Ethical Hacking and Network Defense
38
Hands-On Ethical Hacking and Network Defense
39
Hands-On Ethical Hacking and Network Defense
40
Hands-On Ethical Hacking and Network Defense
41
Enumerating the NetWare
Operating System
• Security professionals see Novell NetWare as a
“dead horse”
• Ignoring an OS can limit your career as a security
professional
• Novell NetWare version 4.11
• Novell does not offer any technical support for
earlier versions
Hands-On Ethical Hacking and Network Defense
42
Hands-On Ethical Hacking and Network Defense
43
NetWare Enumeration Tools
• NetWare 5.1 is still used on many networks
• New vulnerabilities are discovered daily
• You need to be vigilant in checking vendor sites
and security sites
• Tool
• Nessus
Hands-On Ethical Hacking and Network Defense
44
Hands-On Ethical Hacking and Network Defense
45
NetWare Enumeration Tools
(continued)
• Nessus
• Enumerates a NetWare server
• Determines eDirectory information
• Discovers the user name and password for the FTP
account
• Discovers names of several user accounts
Hands-On Ethical Hacking and Network Defense
46
Hands-On Ethical Hacking and Network Defense
47
Hands-On Ethical Hacking and Network Defense
48
Hands-On Ethical Hacking and Network Defense
49
NetWare Enumeration Tools
(continued)
• Novell Client32
• Available at www.novell.com
• Client available for several OSs
• Specify information for
• Tree
• Content
• Server
Hands-On Ethical Hacking and Network Defense
50
Hands-On Ethical Hacking and Network Defense
51
Hands-On Ethical Hacking and Network Defense
52
Hands-On Ethical Hacking and Network Defense
53
Enumerating the *NIX
Operating System
• Several variations
•
•
•
•
•
•
•
•
•
Solaris
SunOS
HP-UX
Linux
Ultrix
AIX
BSD UNIX
FreeBSD
OpenBSD
Hands-On Ethical Hacking and Network Defense
54
UNIX Enumeration
• Finger utility
• Most popular tool for security testers
• Finds out who is logged in to a *NIX system
• Determine owner of any process
• Nessus
• Another important *NIX enumeration tool
Hands-On Ethical Hacking and Network Defense
55
Hands-On Ethical Hacking and Network Defense
56
Hands-On Ethical Hacking and Network Defense
57
Summary
• Enumeration is the process of extracting
information from a system
• User names
• Passwords
• Shared resources
• Tools for enumerating Microsoft targets
•
•
•
•
Nbtstat
Net view
Net use
Other utilities
Hands-On Ethical Hacking and Network Defense
58
Summary (continued)
• Tools for enumerating NetWare targets
• Novell Client32
• Nessus
• Tools for enumerating *NIX targets
• Finger
• Nessus
Hands-On Ethical Hacking and Network Defense
59